Scribd
Upload
875 views18 pages

Wiki AAA With Active Directory

The document describes setting up authentication, authorization and accounting (AAA) between a MikroTik router and an Active Directory server using Internet Authentication Service (IAS) RADIUS. It provides a 4 part process: 1) setting up IAS on the Active Directory server, 2) configuring IAS RADIUS settings, 3) adding the RADIUS server to MikroTik, and 4) testing the connection and ensuring users have proper permissions. The goal is to authenticate and authorize users on the MikroTik hotspot against the Active Directory user list.

Uploaded by

Charlston Leite
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
875 views18 pages

Wiki AAA With Active Directory

The document describes setting up authentication, authorization and accounting (AAA) between a MikroTik router and an Active Directory server using Internet Authentication Service (IAS) RADIUS. It provides a 4 part process: 1) setting up IAS on the Active Directory server, 2) configuring IAS RADIUS settings, 3) adding the RADIUS server to MikroTik, and 4) testing the connection and ensuring users have proper permissions. The goal is to authenticate and authorize users on the MikroTik hotspot against the Active Directory user list.

Uploaded by

Charlston Leite
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

AAA with Active Directory - MikroTik Wiki

Pgina 1 de 18

AAA with Active Directory


Example One
MT setup

Windows Setup

Example Two
Part A - Setup IAS RADIUS on Active Directory Services

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 2 de 18

Setup IAS on a server acting as Active Directory Services Domain Controller and register its services.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 3 de 18

Give a meaningful description and enable logging for authentication status.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 4 de 18

User respective 1812 for Authentication and 1813 for Accounting port only.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 5 de 18

Create a Realms profile, find User-Name replace it with DOMAIN\User-Name variables into IAS.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 6 de 18

Create a hotspot.com client profile and set IP address pointing to MikroTik hotspot server 172.19.1.253. Set Client Ve RADIUS Standard and enter a unique password for IAS. Do not enable Attributes Signature check box.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 7 de 18

Enable Remote Access Logging check box for all properties.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 8 de 18

Select IAS Format and set Log Time Period to Daily.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 9 de 18

Create Remote Access Policies profile to hotspot.com. Add Windows-Groups matches DOMAIN\Username

remote access permission.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 10 de 18

At Authentication tab Enable check box for MS-CHAP v2, MS-CHAP, CHAP and PAP method. Note HotSpot only uses PA

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 11 de 18

At Encryption tab Enable all the check box allowed by this profile.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 12 de 18

At Advance tab do not add any additional connection attributes.

Part B - Setup IAS RADIUS with MikroTik

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 13 de 18

Add a RADIUS server profile and enable service for hotspot. Enter IP Address of IAS RADIUS server. Enter the same p created earlier for RADIUS secret. Use port 1812 for Authentication and 1813 for Accounting with Timeout at 300ms.

At Hotspot Server Profiles Login By check HTTP PAP only.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 14 de 18

At Hotspot Server Profiles check Use RADIUS and Accounting. NAS Port Type leave it as (19 wireless-802.11) or (Ethernet) mode.

Part C Testing IAS RADIUS with PC

1. Use NTRadPing Test Utility to verify the communication link with a test PC. http://www.dialways.com/download/ 2. Remember to add in the test PC IP Address intended for testing into the IAS Client Profile before initiating test.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 15 de 18

3. Enter the IAS RADIUS server IP Address and port 1812 for Request Type Authentication Request RADIUS Secret Key.

4. Also enter the User-Name found in the Active Directory Service User Domain Lists. If successful response reply w Accepted.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 16 de 18

5. Next change port to 1813 for Request Type Accounting Start click send and reply should be Accounting RADIUS server is working.

Part D Activating Domain Users for IAS RADIUS

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 17 de 18

Check for respective User properties if they are member of RAS and IAS Server groups, if not add them as group mem

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

AAA with Active Directory - MikroTik Wiki

Pgina 18 de 18

Next check the Dial-in tab and enable Allow access for Remote Access Permission.

http://wiki.mikrotik.com/wiki/AAA_with_Active_Directory

07/04/2011

You might also like